Tweet
Tweet

Slide 1

Slide 1 text

COMPLIANCE-DRIVEN INFRASTRUCTURE the quest to make testing and security part of devops Christoph Hartmann @chri_hartmann | [email protected]

Slide 2

Slide 2 text

@chri_hartmann $> whoami Christoph Hartmann • 8 years in industry • Deutsche Telekom and SAP • Co-Founded startup VulcanoSec • need for missing compliance solutions • close collaboration with auditors • Acquired by Chef Software • heading engineering for compliance • InSpec Creator

Slide 3

Slide 3 text

Why do we need compliance? Is compliance preventing innovation? Compliance-Driven Infrastructure

Slide 4

Slide 4 text

Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Regulatory Compliance PCI-DSS Gramm-Leach-Bliley Act HIPAA Dodd-Frank ISO Sarbanes-Oxley HITECH Grundschutz European Central Bank Regulations

Slide 8

Slide 8 text

COMPLIANCE AND SECURITY Compliance Security

Slide 9

Slide 9 text

State of Security in 2014 • In 60% of cases, attackers can compromise organizations within minutes. • 99.9% of the exploited vulnerabilities were compromised more than a year after the vulnerability was published. • Ten vulnerabilities account for 97% of the exploits observed. Verizon Data Breach Report

Slide 10

Slide 10 text

Why do we need compliance? Is compliance preventing innovation? Compliance-Driven Infrastructure

Slide 11

Slide 11 text

Deployment Compliance DevOps

Slide 12

Slide 12 text

compliance is perceived as blocker

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Language Compliance DevOps Security

Slide 16

Slide 16 text

Scale

Slide 17

Slide 17 text

Scale

Slide 18

Slide 18 text

Scale

Slide 19

Slide 19 text

QUALITY VELOCITY Innovation Quality/ Security/ Compliance The tradeoff myth

Slide 20

Slide 20 text

Book: The High Velocity Edge - Steven J. Spears Competitive advantage

Slide 21

Slide 21 text

Why do we need compliance? Is compliance preventing innovation? Compliance-Driven Infrastructure

Slide 22

Slide 22 text

Security meets operations Compliance DevOps Security

Slide 23

Slide 23 text

Common Language Language Compliance DevOps Security

Slide 24

Slide 24 text

InSpec turns infrastructure testing, compliance and security requirements into code

Slide 25

Slide 25 text

Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

Slide 26

Slide 26 text

Scripting tools

Slide 27

Slide 27 text

The better way TESTING A REQUIREMENT

Slide 28

Slide 28 text

Compliance Language

Slide 29

Slide 29 text

Standalone Usage $ inspec exec test.rb $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022 $ inspec exec test.rb -t winrm://[email protected] --password super $ inspec exec test.rb -t docker://3cc8837bb6a8 describe sshd_config do its('Protocol') { should cmp 2 } end

Slide 30

Slide 30 text

Supported Operating Sysyems

Slide 31

Slide 31 text

apache, apache_conf, apt, audit_policy, auditd_conf, auditd_rules, bash, bond, bridge, bsd_service, command, csv, directory, etc_group, file, gem, group, groups, grub_conf, host, iis_site, inetd_conf, ini, interface, iptables, json, kernel_module, kernel_parameter, launchd_service, limits_conf, login_defs, mount, mssql_session, mysql, mysql_conf, mysql_session, npm, ntp_conf, oneget, os, os_env, package, parse_config, parse_config_file, passwd, pip, port, postgres, postgres_conf, postgres_session, powershell, ppa, processes, registry_key, runit_service, script, security_policy, service, shadow, ssh_config, sshd_config, ssl, sys_info, systemd_service, sysv_service, upstart_service, user, users, vbscript, windows_feature, wmi, xinetd_conf, yaml, yum Built-in resources

Slide 32

Slide 32 text

Works with all DevOps tools e.g.

Slide 33

Slide 33 text

Silo Breaking • Build foundation for communication • Share knowledge and code • Codify agreements after audits

Slide 34

Slide 34 text

Mapping of Compliance Document to InSpec

Slide 35

Slide 35 text

Make Adjustments My CIS L1 (inspec overlay) CIS Lvl1 (xml base profile)

Slide 36

Slide 36 text

Optimize for specific environments Dev Production Test My CIS L1 (inspec overlay) CIS Lvl1 (xml base profile)

Slide 37

Slide 37 text

InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening Profile Linux Patch Profile github.com/dev-sec github.com/chris-rock/acme-inspec-profile

Slide 38

Slide 38 text

InSpec Profiles Windows Patch Profile OS Hardening Profile SSH Hardening Profile Linux Patch Profile github.com/dev-sec github.com/chris-rock/acme-inspec-profile

Slide 39

Slide 39 text

InSpec Profiles

Slide 40

Slide 40 text

Continuous Compliance Compliance DevOps

Slide 41

Slide 41 text

Continuous Compliance

Slide 42

Slide 42 text

Continuous Compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify

Slide 43

Slide 43 text

Continuous Compliance DevOps Compliance Security

Slide 44

Slide 44 text

The changing role of the compliance officer

Slide 45

Slide 45 text

Continuous Compliance

Slide 46

Slide 46 text

Why do we need compliance? Is compliance preventing innovation? Compliance-Driven Infrastructure

Slide 47

Slide 47 text

Further Resources inspec.io • Hands on tutorials • Extensive documentation • Code examples learn.chef.io • More tutorials about Compliance and Inspec

Slide 48

Slide 48 text

Further Resources Save Your Crash Dummies! A Test-driven Infrastructure Solution http://bit.ly/crash_dummies dev-sec.io github.com/dev-sec/tests-os-hardening github.com/dev-sec/tests-ssh-hardening github.com/dev-sec/windows-patch-benchmark github.com/dev-sec/linux-patch-benchmark

Slide 49

Slide 49 text

@chri_hartmann Christoph Hartmann Join [email protected]

Slide 50

Slide 50 text

Chef vs InSpec